Bug 1842634 (CVE-2020-8164) - CVE-2020-8164 rubygem-actionpack: possible strong parameters bypass
Summary: CVE-2020-8164 rubygem-actionpack: possible strong parameters bypass
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1842635 1842995 1842996 1846377
Blocks: 1842637
TreeView+ depends on / blocked
 
Reported: 2020-06-01 18:16 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 18:47 UTC (History)
28 users (show)

Fixed In Version: rubygem-actionpack-5.2.4.3, rubygem-actionpack-6.0.3.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-actionpack. Untrusted hashes of data is possible for values of `each`, `each_value`, and `each_pair` which can lead to cases of user supplied information being leaked from Strong Parameters. Applications that use these hashes may inadvertently use untrusted user input. The highest risk from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-11-08 13:50:25 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-06-01 18:16:43 UTC
There is a strong parameters bypass vector in ActionPack. In some cases user supplied information can be inadvertently leaked from Strong Parameters.  Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters.  Applications that use this return value may be inadvertently use untrusted user input.

Reference:
https://groups.google.com/forum/#!msg/rubyonrails-security/f6ioe4sdpbY/s8tBAMPAAQAJ

Comment 1 Guilherme de Almeida Suckevicz 2020-06-01 18:17:02 UTC
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1842635]

Comment 3 Yadnyawalk Tale 2020-06-02 14:04:19 UTC
External References:

https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released

Comment 6 Yadnyawalk Tale 2020-06-02 14:23:18 UTC
Statement:

Red Hat CloudForms and Red Hat Satellite ship affected RubyGem actionpack and uses strong parameters, however, products are not vulnerable since safe return values are used in product code.


Note You need to log in before you can comment on or make changes to this bug.